The hack was pulled off against the RF28HMELBSR smart fridge, part of Samsung’s line-up of Smart Home appliances which can be controlled via their Smart Home app. While the fridge implements SSL, it fails to validate SSL certificates, thereby enabling man-in-the-middle attacks against most connections.

The internet-connected device is designed to download Gmail Calendar information to an on-screen display. Security shortcomings mean that hackers who manage to jump on to the same network can potentially steal Google login credentials from their neighbours.

"The internet-connected fridge is designed to display Gmail Calendar information on its display," explained Ken Munro, a security researcher at Pen Test Partners. "It appears to work the same way that any device running a Gmail calendar does. A logged-in user/owner of the calendar makes updates and those changes are then seen on any device that a user can view the calendar on."

"While SSL is in place, the fridge fails to validate the certificate. Hence, hackers who manage to access the network that the fridge is on (perhaps through a de-authentication and fake Wi-Fi access point attack) can Man-In-The-Middle the fridge calendar client and steal Google login credentials from their neighbours, for example."

Warm beer

Pen Test Partners provides a walk-through of its various attempts to hack into the fridge in a blog post. It drove up several cul-de-sacs before discovering the way through to an exploit.

As the fridge is not yet available in Europe, the UK-based security consultancy ran out of time at DEF CON in its attempts to intercept communications between the fridge terminal and the software update server. Attempts to mount a firmware-based attack via customer updates also got nowhere. However they had more luck when it pulled apart the mobile app, discovering a potential (but as yet unconfirmed) security problem in the process.

The name of a file found in a keystore in the mobile app’s code suggested that it contained the certificate used to encrypt traffic between mobile app and fridge. The certificate is correctly passworded, but the credential to the certificate appeared to be stored in the mobile app in an obfuscated form. If so, the next step would be to figure out the password, then use the certificate data to authenticate to the fridge and send commands to it over the air.

Pen Test Partners' Pedro Venda added: “We wanted to pull the terminal unit out of the fridge to get physical access to things like a USB port and serial or JTAG interfaces, but ran out of time. However, we still found some interesting bugs that definitely merit further investigation. The MiTM alone is enough to expose a user’s Gmail creds."

The team at Pen Test Partners is doing more and more IoT security and hacking research of late. Back in February, it published research which revealed Samsung's smart TVs fail to encrypt voice recordings sent over the internet.

Update

Samsung has contacted us to say that they were looking into the matter: "At Samsung, we understand that our success depends on consumers’ trust in us, and the products and services that we provide. We are investigating into this matter as quickly as possible. Protecting our consumers’ privacy is our top priority, and we work hard every day to safeguard our valued Samsung users.” ®